Confidentiality-Preserving Publicly Verifiable Computation Schemes for Polynomial Evaluation and Matrix-Vector Multiplication

1School of Mathematics, Shandong University, Jinan, Shandong 250100, China 2State Key Laboratory of Information Security Institute of Information Engineering, Chinese Academy of Sciences, Beijing 100093, China 3School of Engineering and Information Technology, University of New South Wales Defence Force Academy, Canberra, Australia 4Centre for Computer and Computational Science, School of Computing and Mathematical Sciences, University of Greenwich, London, UK


Introduction
Outsourcing computation has been served as a significant service with the rapid development of Cloud Computing Technology.It provides the service purchaser (whom we call user) with constraint computational power to delegate the complicated computational tasks to the service provider (which we call cloud server) and enjoy its unlimited computational resources in a pay-per-use manner.This brings a huge convenience for resource-constraint devices to reduce their computational overhead and thus has attracted significant interests in both industrial and academic communities.A number of large enterprise groups, such as Amazon, Google, and Alibaba, have launched their Cloud Computing to provide computation outsourcing services.What is more, in Big Data era, the ability to deal with the massive data has become core competitiveness while outsourcing computation just fits this demand.
While outsourcing computation paradigm enjoys numerous benefits, it also suffers from rigorous challenges [1].To begin with, since the cloud server is commercialized, sometimes it may not perform the computation honestly but output a computationally indistinguishable result in order to save its cost for more interests.Therefore, a basic requirement of outsourcing computation is to assure the correctness of the computational result.In other words, the user should have a way to verify the correctness of the output from the cloud server with an overwhelming probability.Despite the untrustworthy of cloud server, misbehavior may also happen from the user side.For example, a malicious user may deliberately claim the output from the cloud server incorrect and slander the cloud service provider by this even if the cloud server has performed the computation honestly.This is due to the fact that verification is done in a private manner.Therefore, it is preferable that the verification can be done publicly.That is to say, anyone except the user himself is able to verify the output from the cloud server.With public verification, not only cannot the cloud server cheat with an incorrect output, but also the user cannot claim the output from the cloud server incorrect for no reason, because now the output is witnessed and verified by everyone.Secondly, since sometimes the computational result is something sensitive, it needs to be kept secret to any party except the user himself.Thus another challenge of outsourcing computation is to assure confidentiality of the computational result, especially when the output from the cloud server can be verified publicly.Last but not least, the whole workload of the user in certain computation outsourcing procedure must be much less than accomplishing this computation task all by the user himself.We call this the requirement of efficiency.This is essential because if not, the outsourcing will be meaningless.
The evaluation of multivariate polynomials () is one of the most fundamental computational tasks in scientific communities.In practice, there are so many problems that can be reduced to a model of evaluating certain polynomial with multivariate input value, for example, to evaluate an employee's performance in a company and to evaluate a person's health condition.Matrix-vector multiplication is another fundamental computational task that is widely applied, for example the Discrete Fourier Transform (DFT) and the Singular Value Decomposition (SVD).And in Big Data era, with the data we need to deal with getting more and more enormous, it is very likely that the storage requirement when evaluating multivariate polynomials or matrix-vector multiplication exceeds the available memory of the user's computational devices, like cell phones or portable laptop.Thus we need to find another way to fulfill the computational tasks securely and efficiently.Plenty of works have been done to seek secure and efficient schemes of outsourcing computation for polynomials and matrix-vector multiplication.Fiore and Gennaro [2] proposed schemes to securely outsource evaluation of multivariate polynomials and matrixvector multiplication and verify the corresponding result in a public manner.Unfortunately, one disadvantage of their proposal is the leakage of final result.Anyone is able to verify the correctness of the output from the cloud server and then obtain the result of the target evaluation.This brings a drawback in practice when the result is something sensitive, for example, the year-end bonus of an employee and the health condition of a person.

Related Works
1.1.1.Verifiable Computation.Verifiable computation (VC) was first proposed by Gennaro et al. [3].In VC, only two parties are involved, the client that processes the input data and the server that evaluates the target function with the value client sends.The output of the server can be verified by the client only.Both the input and output value of the function are private in the whole procedure.Gennaro et al. proposed a concrete VC scheme for arbitrary circuit using Yao's [4] two-party computation scheme and Gentry's [5] fully homomorphic encryption (FHE) scheme.After that, different VC schemes using FHE were proposed [6][7][8].They made use of various techniques to achieve verifiability.However, applying FHE in practice brings expensive overhead.

Publicly Verifiable Computation. Different from VC
where the verification is done privately, publicly verifiable computation (PVC) allows anyone to verify the result output by the server.PVC brings more flexible application in the untrusted cloud environment than VC, mainly in two-fold.One is to release the workloads of verification for the client.Another is the supervision of users.This is because if the verification is only done privately, once an incorrect result is claimed, it is hard to tell whether the server misbehaved or the user is intentionally slandering.However if the result can be verified publicly, the user's slandering is easy to detect.PVC was first proposed by Parno et al. [16].They constructed a PVC scheme for Boolean functions using KP-ABE schemes.After that, many PVC schemes were proposed [2,[17][18][19].In 2012, Fiore et al. [2] proposed a PVC scheme for multivariate polynomial evaluation and matrix multiplication.They took inspiration from Benabbas et al. 's [9] VC scheme to use pseudorandom function that enjoys closed form efficiency to generate the verification key efficiently, and they generalized the function to multivariate case.Moreover, by leveraging the technique of bilinear map, they have improved the verification procedure from private to public manner.With the similar technique, Sun et al. [17] constructed batch verifiable computation schemes with public verification for polynomial and matrix that achieve simultaneously evaluation of multiple functions in one outsourcing phase.In 2016, Elkhiyaoui et al. proposed another solution for univariate polynomial evaluation and matrix multiplication.They leverage the idea of Euclidean division of polynomials to construct the structure of the verifiable computation.And the bilinear map technique is utilized to make the verification able to be public.However, this idea is only suitable for univariate polynomial scenario.What is more, all the schemes mentioned above share the same disadvantage that anyone except for the user that verifies the result will surely obtain its concrete value.This is insecure in practice when the result of certain computation is usually something sensitive and the verification process is supposed to output a judgement to the correctness of the result rather than disclosing the value itself.To overcome this, Alderman et al. [20] improved Parno et al. 's [16] scheme with a secret substitution bit and presented a PVC with key distribution center (KDC) for Boolean functions.They also achieved other properties like revocation based on this PVC with KDC [21,22], but this way of using secret substitution bit cannot fit other functions that have large range.

Our Contributions.
In this paper, we present a modified PVC model that is considered to be more practical.It captures the confidentiality of the computational result, which we believe is an important property when utilizing in practice.
We present outsourcing schemes for securely and efficiently evaluating high degree multivariate polynomials and matrix-vector multiplication.Compared with existing outsourcing schemes for polynomials [2,23] and matrix multiplication, our proposal simultaneously captures properties of both public verifiability and result confidentiality.This offers a more flexible application in practice.
We also provide the algorithm for our outsourcing scheme and run some simulated experiments to show the efficiency of the proposed schemes.
This paper is an extension of its corresponding conference version [24].In the revised version, we extends the CP-PVC scheme to the matrix-vector multiplication case.The resulting scheme proved to achieve not only the properties of polynomial case (i.e., security, public verifiability, and result confidentiality) but also the input privacy.We run corresponding simulated experiments and the result is also acceptable for practice.

Paper Organization.
The remaining parts of the paper are organized as follows.Some necessary preliminaries are provided for the proposed schemes in Section 2. The framework of the proposed CP-PVC protocol is defined in Section 3. The concrete constructions of the CP-PVC schemes for polynomial evaluation and matrix-vector multiplication are presented, analyzed, and simultaneously experimented separately in Sections 4 and 5.The conclusion of the paper is in Section 6.

Preliminaries
In this section, we provide some definitions about algebraic pseudorandom function (PRF) with closed form efficiency, bilinear Map, and some related notions.We also provide the computational assumptions that are used for the construction of our schemes.

Algebraic PRF with Closed Form
Efficiency.One of our main techniques is the PRF with closed form efficiency. PRF is a function (denoted by ) that is generated from a secret seed .It owns the properties of both randomness and computational efficiency.A closed form efficient PRF consists of algorithms (KG, ) that are defined as follows: (i) KG(1  ) → (, ): The randomized key generation algorithm takes as input the security parameter 1  and outputs a tuple of parameters (, ), where  denotes the secret seed and  denotes the public parameters that specifies the domain  and range  of the function, respectively.
(ii) (, ) → : The deterministic functional computation algorithm takes as input the secret seed  and the value  ∈  and computes a value  ∈ .We usually denote it by   (⋅).
An algebraic PRF with closed form efficiency must satisfies the following properties: (1) (Algebraic) A PRF (KG, ) is algebraic if the range  of   (⋅) forms an abelian group.We use multiplication notation for group operation.
Here we only show the definition of PRF with closed form efficiency.We will give a concrete algorithm of PRF with closed form efficiency for multivariate polynomials in Section 3.

Bilinear Map.
Our constructions also use bilinear maps.Bilinear pairing is a powerful tool in noninteractive authentication and has been widely applied in both encryption and signature schemes [9,25].To be specific, let G 1 , G 2 , and G  be finite cyclic multiplicative groups of order , and let , ℎ be generators of G 1 and G 2 .A map ê : G 1 × G 2 → G  is called a bilinear map if it satisfies the following properties: (1) Bilinearity: it holds that ê (  , ℎ  ) = ê (, ℎ)  (3) for all ,  ∈ Z  .
(2) Nondegeneracy: there exist (3) Computability: there exists an efficient algorithm to compute ê( 1 , ℎ 1 ) for any 2.3.Computational Assumptions.The computational assumption that is used for the construction of the PRF with closed form efficiency is decision linear (DL) assumption.We present the definition below.
Definition 1 (decision linear assumption).Let G be a group of prime order .Given  0 ,  1 ,  2 ∈ G and  0 ,  1 ,  2 ∈ Z  , one defines the advantage of an algorithm A in deciding the decision linear problem in G as One says that the decision linear assumption (, ) holds in G if for every -time algorithm A one has Adk  A ≤ .
Note that the decision linear assumption holds in generic bilinear groups.Relative proof can be found in [26].
Next we present the definition of co-CDH, which is the base for the security of our proposed schemes.The co-CDH assumption was first introduced in BLS signature scheme presented by Boneh et al. [27], as a natural extension of standard CDH problem in asymmetric bilinear pairing.It is defined as follows.

Modelling CP-PVC
We use an amortized model [16] to construct our CP-PVC scheme.That is, the user (denoted by S) shall invest a larger amount of computational work in a preprocessing phase in order to obtain efficiency during the computation outsourcing phase.The adversaries in a PVC protocol are two types, the cloud server (denoted by ) and some "curious" verifiers (denoted by ).The former is in lazy-but-honest model [28] and the latter is in honest-but-curious model.This is reasonable since, in practice, a rational commercial cloud service will try to minimize the computation it needs to do to pass the verification algorithm.And passing the verification algorithm is its priority because only in this way can it get the payback.Also since the verification is public, there will be some curious verifiers that perform the public verification algorithm and try to discover some secret information about the final result value.
A difference between the framework of PVC proposed by Parno et al. [16] and ours is that we address the confidentiality of the computational result.In the public verification phase, a bit is output instead of the result value.And the result value is obtained in the later phase called private retrieval.To realize confidentiality, the user needs to operate the target function in the preprocessing phase and obtain a secret key for retrieval and keep it secret.
Let F be a class of functions and  ∈ F. We define a confidentiality-preserving publicly verifiable computation (CP-PVC) protocol  via the following five algorithms: (i) KeyGen(1  , ) → (  ,   , ): The randomized key generation algorithm takes as input a security parameter and the function  and as outputs a secret key   for the input delegation phase, an evaluation key   for the cloud server to compute the outsourced message, and the public parameter .This is done by the client.(ii) ProbGen(,   , ) → (  ,   ,   ): Given the public parameter , the secret key   , and the input value  ∈ Domain(), the randomized problem generation algorithm outputs a public value   , which is the encoding of , together with a public verification key   for nonclient parties to verify the correctness and a private retrieval key   for the client to retrieve final result ().This is done by the client.(iii) Compute(  ,   ) →   : On inputting the evaluation key   together with the value   , the randomized computation algorithm outputs a value   .This is done by the worker (cloud server).
(iv) PubVer(,   ,   ) → {, }: The deterministic public verification algorithm uses the public parameter  and public verification key   to check whether the final result is correct and returns  or  accordingly.This is done by the nonclient verifiers.(v) PrivRet(,   ,   ,   ) → : The deterministic private retrieval algorithm is run on input ,   ,  , and   to compute a string  ∈ {0, 1} * ∪{⊥ }.Here, the special symbol ⊥ indicates that the public verification algorithm rejects the worker's answer   .This is done by the client.
A verifiable computation scheme should be both correct and secure.We give the definition of correctness and security in the following.
The security of a verifiable computation requires that the worker is not able to output an incorrect value that passes the PubVer or the PrivRet algorithm.We give the formal definition via the following experiment.Definition 4 (security).Let  be a confidentiality-preserving publicly verifiable computation scheme for a class of functions F, and assume that A is PPT adversaries.Consider Experiment EXP A [, , ] for any  ∈ F below: A confidentiality-preserving publicly verifiable computation scheme  is secure for a class of functions F, if, for any  from F and any PPT adversary A, it holds that Here ( ) represents a negligible function in .
Next we give the confidentiality definition of CP-PVC which is not defined in existing PVC frameworks [2,16].
In this paper we focus on the confidentiality for final result, which means that the adversaries cannot learn any information about the value  = () from the value   output by Compute algorithm.Here the adversaries refer to the cloud server and any nonclient verifier.Since the cloud server has extra knowledge of the evaluation key compared with the nonclient verifiers, we only need to define the result confidentiality to cloud server.And the confidentiality to cloud server implicitly implies the confidentiality to nonclient verifiers.Notice that we do not emphasize the input privacy as a necessity in publicly verifiable computation.This is because, in some scenarios, input data is obtained from some public sources that can be accessed by anyone.However, we still present a loose definition on input privacy for multivariate function, which we call ( − )-privacy.Intuitively, it means that, for a function with an input set of multi-independent variables, the probability that the adversary leans the values of a  fraction of the input sets is .The definitions are as follows.

Definition 5 (result confidentiality
Finally, we give the definition of efficiency.Informally speaking, efficiency means that the total computational cost on the client side by engaging the CP-PVC scheme is less than that of executing the direct algorithm to compute the target function.In the amortized model, since the KeyGen is done once and amortized by multiple function evaluation with different input value, this part of computational overhead does not need to be counted in. Definition 7 (efficiency).A confidentiality-preserving publicly verifiable computation protocol  for a class of multivariate functions F is efficient if, for any  from F and any  chosen from Domain(), the total computational cost of algorithms ProbGen and PrivRet is less than that of directly evaluating  on .

The CP-PVC Scheme for Polynomial Evaluation
In this section, we first review the construction of PRF in [29], showing that it is closed form efficient for polynomials in  variables and degree at most  in each variable.Then we present the corresponding algorithm for evaluating the PRF and its closed form efficiency.After that, we give the concrete construction of our CP-PVC scheme for polynomial evaluation together with the analysis and experimental simulation.=  ( 1 ,...,  ) (9) where (⋅) is the polynomial whose coefficients are the discrete logs of the  values.If we set  ( 1 ,...,  ) =   ( 1 , . . .,   ), then there exists an algorithm CFEkal Poly, (,  1 , . . .,   ) that can compute

Algorithm for PRF with
in time ( log ), instead of the regular running time (  ⋅  log ).
The proof of the above claim can be found in [2].Here we show the algorithm for evaluating the PRF as well as the polynomial ( 1 , . . .,   ).
Let  = ⌊log ⌋ + 1.The construction of PRF is the following algorithm: The algorithm outputs The domain of the function is {0, . . ., }  , and the range is G 1 .
Finally, the value of the PRF is   () =   1  () .Let  = ( 1 , . . .,   ) be the input; the polynomial  can be written as Now we present the algorithm for evaluating the computation  ( 1 ,...,  ) in Algorithm 2. The derivation and proof can be found in [2].
With the use of the above closed form efficient PRF in Algorithm 2, we can realize public verifiability by letting the PRF value be a part of the verification key.Then our remaining goal is to make this public verification process "blind".Intuitively, to make the value () confidential, one way is to encrypt the input value .This is usually done in verifiable computation schemes.However such operation requires the homomorphic property of the encryption scheme, and encryption schemes with better homomorphic set  1  () =  0 ,  2  () =  0 for  = 1 to : do for  = 1 to : Algorithm 2: CFEkal Poly (,  1 , . . .,   ).
property are usually less efficient.Therefore, here we consider the way to blind the target polynomial .We use two sparse -variate polynomials () and () to randomize the target polynomial.Here sparse means that the degree of the polynomial is 1 and there are at most  terms of monomials that are nonzero.Thus the value of () is covered under () and (), and the computational overhead of () and () is ().

Construction of CP-PVC for Polynomial
Case.Now, we present our concrete scheme of CP-PVC for multivariate polynomials  with  variables and degree at most   of each variable.In the case,  has totally at most  = (  + 1)  terms of monomial.Assume () = ()()+().Let the degree of each variable be at most  and the total terms of monomial be  = ( + 1)  , and for 1 ≤   ≤  write   = ( Compute: On receiving   = (, ) and   = , the cloud server computes   = () = ∑    =1 t  ⋅    (),  = ∏    =1       () and outputs PubVer: On receiving   = (  (), ℎ) and   = (  , ), the verifier checks the equation The algorithm outputs  if the above equation holds; otherwise it outputs .

4.3.
Security Analysis.Now we analyze the correctness, security, and confidentiality of the proposed CP-PVC scheme.

Confidentiality.
We show that, for an adversarial cloud server with the information of (,   ,   ,   ,   ), the probability that it can extract the value of the result  is negligible; i.e., the result confidentiality holds for cloud server.This implies that the confidentiality also holds for any third party verifier since they have less information (  ) than the cloud server does.To extract  = (), one way is directly from ().However, this requires the knowledge of ((), ()) which are parts of the retrieval key and kept secret.The other way is to discover the coefficients of the function (⋅) and evaluate  on  since the input value  is a plain text stored in   .We will show that under this circumstance the adversary cannot discover the coefficients of  with a nonnegligible probability.Let , ,  be as follows: and then we have that t     () .Note that the above system does not have a unique solution in G 1 , and the coefficients of (⋅) and (⋅) are chosen uniformly at random from G 1 .This means that the probability to choose the correct coefficients is negligible, and thus the privacy of coefficients of (⋅) is guaranteed, which makes the confidentiality of the final result hold.

Security. The security of the scheme is based on co-
CDH assumption and the corresponding proof follows from that in [2].We take it as an inspiration and define the following four games.

Game 0. It is the same as Experiment EXP A [𝜋, 𝐹, 𝜆].
Game 1.It is similar to Game 0, with the difference that   contains coefficients randomly chosen from G 1 instead of .Game 2. It is similar to Game 1, with the difference that the ProbGen phase uses an inefficient algorithm ∏    =1   (  )    () instead of the CFEkal Poly (,  1 , . . .,   ) to evaluate   .Game 3. It is similar to Game 2, with the difference that each value   (  ) is replaced by a random element    ∈ G 1 .
We use a hybrid way to perform the proof, with the following claims.

Corollary 4. Pr[𝐺
Proof.This claim holds in an obvious way, since the change of algorithm for evaluating   does not change the distribution of its values.Thus the probability that the adversary wins is the same in both Games 0 and 1.

Corollary 5. |Pr[𝐺
Proof.The difference between Games 2 and 1 is the coefficients of the target function.According to the confidentiality proof, these coefficients are indistinguishable since  and  are chosen uniformly at random, thus sharing the same distribution in the view of the adversary.Proof.The difference between Games 3 and 2 is that the output of PRF   () is replaced by uniformly random elements in G 1 .According to the pseudorandomness property of PRF, the probability that an adversary A distinguishes the two values is no better than   .Proof.To prove this claim we need to show that if there exists a PPT algorithm that wins in Game 3 with a probability larger than  ℎ , then one can build an efficient algorithm B with oracle access to A to solve the co-CDH problem with some nonnegligible probability.Assume that the group in co-CDH problem is described as (, , ℎ, G 1 , G 2 , G  , ê) and the adversary is given a co-CDH tuple (  , ℎ  ) with the exponents ,  chosen randomly from Z  ; the algorithm B works as follows.
First, B needs to simulate public parameter  and evaluation key   .It computes the bilinear map (  , ℎ  ) and chooses 2 random elements { t  ,    } 1≤  ≤ .The simulated public key  = ((  , ℎ  ), ), and the simulated evaluation key   = (, ) = { t  ,    } 1≤  ≤ .Since the  generated in Game 3 contains a PRF as a factor and the PRF enjoys pseudorandomness, it is clear that the  and   generated above enjoy a perfect distribution as that in Game 3.
Second, B gives the simulated  and   to A and prepares to simulate the answers to the queries from A. A difference here is that B does not need to generate the retrieval key  in querying phase as that in Game 3 because A does not have access to , neither does B need this  to solve the co-CDH problem.Let   (1 ≤  ≤ ) be the querying value.B first computes    = (   , ℎ)/(  , ℎ  ) t  and then computes    = ∏    =1       (  ) .Since in Game 3, combining the bilinear property of map , it is clear that the simulated    also enjoys a perfect distribution as that in Game 3. A is then given the corresponding verification key    .Let  * be the challenge value chosen by A. The above process is repeated and A obtains   * .Finally, A will output a tuple σ * = ( ŷ, V) such that PubVer (  * ,   * ) → , where  = t and  * ̸ = ( * ).Due to the correctness property, this  * ̸ = ( * ) also implies that ŷ ̸ = ( * ).By  =  we obtain that Let  = ( * ) be the correct output of the PrivRet algorithm.
Dividing ( 25) and ( 26) and combining bilinear property, we can obtain that Then B can compute   = ( V/) We present a complexity comparison between our scheme and existing works of PVC schemes for polynomial evaluation [2,19].After analyzing the specific arithmetic of each algorithm, We would like to use the notation  to compare computational complexity.Since the arithmetic operations in different groups are the same, we use three types of notation,   ,  , and   , to classify different types of complexity.  denotes the time complexity of operations in ring Z  including integer addition and multiplication modulo prime .  denotes the time complexity of operations in ring N including addition and multiplication.  denotes the time complexity of operations in group G 1 , G 2 , G  including multiplication, exponentiation, and bilinear map.The comparison result is shown in Table 1.From the table we can see that, compared with the scheme in [2], ours has a complexity increase of   (   ) in KeyGen,   () in ProbGen, and   (1) in PrivRet performed by the client.However, since the most expensive arithmetic in each of the three phases is   (   ),   ( log   ), and   (1), respectively, the impact of the increasing complexity will not be obvious in the real performance.Compared with the scheme in [19], we first notice that the scheme in [19] only works for univariate case, while ours works for multivariate case.If we set " = 1", the complexity of the two schemes is nearly the same, with a small increase of   (1) in ProbGen and PrivRet respectively, which is not the most expensive part in the two phases.By doing so, our scheme achieves a security propertyresult confidentiality that is considered to be important for user privacy.
We also provide some experimental simulation of CP-PVC for polynomial to show the efficiency.Intuitively, efficiency means that the total computational overhead on the client side by engaging an outsourcing computation protocol is less than that by directly executing the target function algorithm.Since our scheme is constructed in an amortized model, i.e., the computations in KeyGen need to be done only once, we will not count that part of computation in the efficiency performance.Then for the client side, all the computation costs that are counted contain ProbGen and PrivRet phase.We implement the corresponding algorithms on the client side using MATLAB 2015 on a computer with Intel(R) Core(TM) i7-4790 CPU processor running at 3.60 GHz and 8 GB RAM.We show the time cost for different sizes of problems in Table 2, where  represents variable number and  represents bit length of the highest degree   .This part of work is done in the previous conference version of this paper [24].
For comparison of efficiency, we also do some evaluation using the direct algorithm () = ∑    =1 f  ⋅    (), where    () represents each monomial for polynomial  and  = (2  + 1)  .The corresponding result is shown in Table 3, which is also done in the previous conference version [24].We see that the cost time is already infinite when the case goes to  = 50.This is reasonable because theoretically the complexity of the direct algorithm is ( ⋅ 2  ).Recalling that the complexity of the way using closed form efficient PRF is (), thus the scheme achieves a log time efficiency promoted for the evaluation of multivariate polynomials.We Table 3: Times cost of direct algorithm [24].
show in Figure 1 a time cost comparison between direct algorithm and outsourcing algorithm, in which case  = 10; i.e., the degree of each variate is 2 10 .This is also done in the previous conference version [24].

The CP-PVC Scheme for Matrix-Vector Multiplication
In this section, we first review the PRF that is used for matrix-vector case and give the algorithm for its closed form efficiency. Then we give the concrete construction of our CP-PVC scheme for matrix-vector multiplication together with the analysis and experimental simulation.Let G be a group generator that takes as input a secure parameter  and outputs a description of group with prime order.The PRF is defined as follows: (i) KG(1  , , ): Run G(1  ) to generate a group description (, , G 1 ).Choose 2( + ) random values (ii)   (⋅): Let (, ) be the input of the PRF.The algorithm outputs The pseudorandomness holds under Decisional Linear assumption, and the corresponding proof is shown in [29].We omit it here.Now we consider the -dimensional vector  →  = ( 1 , . . .,   ) ∈ G, where   = ∏   ,   and ( , ) forms an  ×  matrix.We show that the construction of PRF M (KG,   (, )) admits the closed form efficiency for the computation of vector  →  .If we set  , =   (, ), then there exists an algorithm CFEkal Matrix (,  1 , . . .,   ) that can compute  →  = ( 1 , . . .,   ) in time ( + ), instead of the regular running time ().The corresponding algorithm is shown in Algorithm 3.With the use of the above closed form efficient PRF in Algorithm 3, we can realize public verifiability by letting the PRF value be a part of the verification key.Then our remaining goal is to make this public verification process "blind".Inspired by the blinding technique in Chen et al. 's work [15] result is confidential and the public verification phase can be processed as usual.However, to retrieve the real result   →  , the user needs to compute the value   →    →  and   →  .This will cost three times the original computational task   →  does (()).To reduce the overhead of this computation, we can make the blinding vector and matrix sparse.The sparse matrix is like that in [15].To make the result confidentiality solid, we usually set at least one nonzero element in each row of matrix .For the sparse vector, we set randomly ⌈(1 − )⌉ (0 <  < 1) positions 0. Then the computational overhead of   →  ,   →  , and   →  is reduced to (), (), and ().What is more, the blinding vector also preserves the privacy of input data to some extent.

Construction of CP-PVC for Matrix-Vector
Case.Now, we present our concrete scheme of CP-PVC for matrix multiplication.Let  be a prime.Recall that our goal is to compute the -dimensional vector  →  =   →  , where  is an  ×  matrix denoted by ( , ) with entries from Z  .Such matrix-vector multiplication can be naturally extended to matrix-matrix multiplication by regarding the latter matrix as a row vector of column vectors and repeating the above matrix-vector multiplication several times.For matrix-vector multiplication   →  , the CP-PVC scheme works as follows: (i) KeyGen: Let  = ( , Remark 8.In order to be uniform, we assume that each entry of the matrix  and vector  →  is from ring Z  .However, when performing the arithmetic computation between matrixmatrix, vector-vector, and matrix-vector, the execution is actually done in the ring N.That is, the results are not in the form modulo prime .This is to keep correctness of the computational result.

Security
The above proves the correctness for evaluating  → Notice that the blinding matrix has at least one nonzero element in each row, and the nonzero elements are all chosen uniformly at random.Thus the   are all blinded by a random nonzero element, which makes the confidentiality of  →  hold.
As an additional bonus, the random sparse vector  →  that is added to the input  →  provides some preservation to the privacy of input value.Since the vector is sparse, with ⌈(1 − )⌉ coordinates being 0, such blinding operation may preserve the input privacy at a degree of 1 − ; namely, the adversary may successfully guess one entry of the input vector with this probability.However since the position of 0 elements is chosen at random, the probability of the adversary to recover 1 −  fraction of the input data is 1/ (   ).

Security.
The proof of the security follows that in [2].We take it as an inspiration and define the following four games.We use a hybrid way to perform the proof, with the following claims.

Corollary 4. Pr[𝐺
Proof.This claim holds in an obvious way, since the change of algorithm for evaluating   does not change the distribution of its values.Thus the probability that the adversary wins is the same in both Games 0 and 1.

Corollary 5. |Pr[𝐺
Proof.The difference between Games 2 and 1 is the coefficients of the target matrix.According to the confidentiality proof, these coefficients are indistinguishable since each  , is chosen uniformly at random, thus sharing the same distribution in the view of the adversary.Proof.The difference between Games 3 and 2 is that the output of PRF   () is replaced by uniformly random elements in G 1 .According to the pseudorandomness property of PRF, the probability that an adversary A distinguishes the two values is no better than   .The proof of this corollary is the same as that in [2]; we omit it here.
Combining the four claims together, we obtain that

Performance Analysis.
We also analyze the computational complexity of the proposed CP-PVC scheme for matrix-vector multiplication and compare it with existing works [2,19].Analogous to polynomial case, we first give detailed analysis on the computational costs of each algorithm in matrix-vector multiplication case.Let each letter denote the same item as that in the proposed scheme above.In the KeyGen phase, to compute the term    , the client needs to execute 3 + 1 times of exponential modulo and 2 times of multiplication arithmetic in group G 1 .To compute the matrix   , since  is sparse, only  times of addition arithmetic in N are executed.To generate the public key, one time of pairing arithmetic is executed.In the ProbGen phase, the client first needs to execute  times of addition arithmetic in N to get   .To generate the public verification key   , algorithm CFEkal Matx (⋅) is executed together with  times of pairing arithmetic.And to generate the private retrieval key, the client needs to execute three times of matrix-vector multiplication arithmetic with computation complexity being (), (), and (), respectively.In the Compute phase, the cloud server needs to execute one time of dense matrix-vector multiplication arithmetic to compute   and  times of exponential modulo and (−1) times of multiplication in group G 1 to compute term .
In the PubVer phase, to compute the corresponding terms in the checking equation, the third party verifier needs to execute  times of pairing arithmetic,  times of exponential modulo arithmetic in G  , and  times of multiplication arithmetic in G  , respectively.Finally, in the PrivRet phase, the client firstly needs to execute what is done in PubVer phase and then execute, respectively, three times of vector subtraction arithmetic in N to compute the result .
Next we present a complexity comparison between our scheme and existing works of PVC schemes for matrix-vector multiplication [2,19].Similar to the polynomial case, We also use the notation  to compare computational complexity.According to the specific analysis of each algorithm, the arithmetic computations take place in ring N and group G 1 , G 2 , G  .Thus we only use two types of notation,   and   , where   denotes the time complexity of operations in ring N including addition and multiplication and   denotes the time complexity of operations in group G 1 , G 2 , G  including multiplication, exponentiation, and bilinear map.Let  ×  be the problem size; then the comparison result is shown in Table 4. From the table we can see that, compared with the scheme in [2], ours has a complexity increase of   () in ProbGen and   () in PrivRet performed by the client.However, when the value of  is small, the part   () will be much less expensive than   ( + ).And   () is surely less expensive than   ().Therefore, by choosing a proper , the impact of the increasing complexity will not be obvious in the real performance.Compared with the scheme in [19], ours has a complexity increase of   () +   () in ProbGen and   () in PrivRet performed by the client.If  ≤ , or the difference between  and  is small, the complexity of   () and   ( + ) is nearly the same.Under this circumstance, our scheme can achieve a comparative performance with a small  chosen.What is more, our scheme achieves result confidentiality and partial input privacy that are considered to be important for user privacy.
We also provide an experimental evaluation on the client side to show the efficiency compared with direct algorithm for matrix-vector multiplication.Different from that in polynomial case, we have a sparse coefficient  in matrix-vector case.We choose different  values and show the time cost for different sizes of problems in Table 5, which is done in the previous conference version of this paper [24].Note that in the ProbGen phase, the time cost of  generation is related only to ,  but not to .However, the time cost of  generation is related to not only ,  but also .With a smaller , one can get a more efficient CP-PVC scheme, but this inevitably brings more risks to input privacy.This seems inherently a trade-off.Also, note that the computations in the PubVer and PrivRet phase are  times of bilinear map operation and three times of vector subtraction, respectively.This part of cost is too small to be counted in, so we omit it from the table.
From the table we can see that, no matter what the choice of  is, the total cost of  generation and  generation is much less than the original cost of matrix multiplication.Things can be more visualized in the column diagram of Figures 2 and 3 [24], where the volume of  generation (blue) and  generation (green) together is less than that of the original cost (red).Even when counting in the omitted time cost of PubVer and PrivRet phase, the CP-PVC scheme achieves an acceptable efficiency performance in practice.

Conclusion
We have proposed confidentiality-preserving publicly verifiable computation schemes for multivariate polynomial evaluation and matrix-vector multiplication.The proposed schemes achieve both public verifiability and result confidentiality, while the latter one also achieves partial input privacy.These security properties are considered to be important in practical application of publicly verifiable computation.With the experimental evaluation we have done, the scheme is also acceptable in practice.

2 .
Given random ,  ∈ Z  , one defines the advantage of an algorithm A in solving the co-CDH problem in G 1 , G 2 as Adk −ℎ A =      Pr [A (, , ℎ,   , ℎ  ) =   ]      (5) and one says that the co-CDH assumption (, ) holds in G 1 , G 2 if for every -time algorithm A one has Adk −ℎ A ≤ .
1/( ŷ−  ) .Thus, if A wins Game 3 with probability  ℎ , B solves the co-CDH problem with the same probability.This proves Claim 4.  times of multiplication and 2  times of addition arithmetic in N are executed.To generate the public key, one time of pairing arithmetic is executed.In the ProbGen phase, no execution needs to be done to generate   since   remains the same as input .To generate the public verification key   , algorithm CFEkal Poly (⋅) is executed together with one time pairing arithmetic.And to generate the private retrieval key, the client needs to execute two times of (-variate, 1-degree) sparse polynomial evaluation arithmetic.In the Compute phase, the cloud server needs to execute one time of (-variate,  + 1-degree) polynomial evaluation arithmetic to compute   and (  + 2)  times of exponential modulo in group G 1 to compute term .In the PubVer phase, to compute the corresponding terms in the checking equation, the third party verifier needs to execute one time of pairing arithmetic, one time of exponential modulo arithmetic in G [2,19]ing the four claims together, we obtain that Pr [EXP A [, , ] = 1] ≤   +  ℎ .(28)4.4.Performance Analysis.In this subsection, we analyze the computational complexity of the proposed scheme and compare it with some existing works[2,19].Our scheme is efficient in the amortized model.That is, the expensive KeyGen algorithm is executed once and its computational overhead is amortized by the following evaluation of the polynomial function with different input value.Here the structure of the function cannot be changed unless another KeyGen algorithm for a different function is performed.Now we give detailed analysis on the computational costs of each algorithm.Let each letter denote the same item as that in the proposed scheme above.In the KeyGen phase, to compute the term    , the client needs to execute 2(  + 2)  + 1 times of exponential modulo and (  + 1)  times of multiplication arithmetic in group G 1 .To compute the structure of function (⋅), (2(  +1))  , and one time of multiplication arithmetic in G  , respectively.Finally, in the PrivRet phase, the client firstly needs to execute what is done in PubVer phase and then execute, respectively, one time of subtraction and division arithmetic in N to compute the result .
Game 0. It is the same as Experiment EXP A [, , ].Game 1.It is similar to Game 0, with the difference that   contains an  ×  random matrix from Z × Game 2. It is similar to Game 1, with the difference that the ProbGen phase uses an inefficient algorithm ∏  =1   (, )   instead of the CFEkal Poly (,  1 , . . .,   ) to evaluate   .It is similar to Game 2, with the difference that each value   (, ) is replaced by a random element  , ∈ G 1 .
instead of .

Table 4 :
Comparison of the three PVC schemes for matrix vector multiplication.